Electronic health information and privacy

November 20, 2008

Harry Cayton, chairman of the National Information Governance Board for Health and Social Care, said that the situation had arisen because of an eagerness to boost UK research ahead of foreign companies.

Currently GPs identify patients who may be suitable for medical trials and it is they who contact the patient to suggest that participation in the research may bring a medical benefit.

We welcome the National Information Governance Board's valuable comments and will consider them along with other responses.

The UK's privacy and data protection watchdog, the Information Commissioner's Office (ICO), is seeking the power to fine businesses up to 10% of their revenues for breaking data laws.

"Technology has moved on apace and in particular the use of the internet information gathering going on that was never conceived of before."

Meanwhile, the ICO revealed this week that 11 government ministers, including education minister Ed Balls, have broken the Data Protection Act which was introduced by the current Labour government in 1998.

A federal appeals court in Boston on Tuesday dealt a setback to the pharmaceutical industry and companies that collect prescription data for use in drug marketing.

Ruling in support of a New Hampshire law, the court upheld the right of states to prohibit the sale of doctor-specific prescription drug data that is widely used in pharmaceutical marketing.

They sued in 2006 to block implementation of the New Hampshire law, which prohibited the sale of computerized data showing which doctors were prescribing what drugs.

The law was intended to cut down on state health care costs by eliminating the tool used by drug sales representatives in promoting brand name drugs.

The information is purchased from pharmacy chains and the companies that manage drug benefits for employers.

The three-judge panel concluded that "the state adequately demonstrated that the Prescription Information Law is reasonably calculated to advance its substantial interest in reducing overall health care costs within New Hampshire."

The privacy of millions of NHS patients will be critically undermined by a government plan to let medical researchers have access to personal files, the health information watchdog told the Guardian last night.

The prime minister and Department of Health want to give Britain's research institutes an advantage against overseas competitors by opening up more than 50m records, to identify patients who might be willing to take part in trials of new drugs and treatments.

Health privacy at risk Link to this audio They are consulting on a proposal that is buried in the small print of the NHS constitution that would permit researchers for the first time to write to patients who share a particular set of medical conditions to seek their participation in trials.

It would result in patients receiving a letter from a stranger who knew their most intimate medical secrets, which would be regarded by many as a breach of trust by doctors who are supposed to keep information confidential.

Harry Cayton, who is about to take over as chairman of the National Information Governance Board for Health and Social Care, the new watchdog on use of NHS data, said the proposal is "ethically unacceptable".

They want a mechanism by which people's clinical records could be accessed for the purposes of inviting them to take part in research, which at the moment is not allowed.

"It would be saying there is a public interest in research that is so great that it overrides consent and confidentiality.

Cayton said the government issued a handbook alongside the draft NHS constitution saying that researchers should be allowed to use care records, without the informed consent of the patient, to identify people suitable to participate in approved clinical trials.

Researchers may wish to approach individuals in order to gain their consent to participating in a particular piece of research, for example the trial of a new treatment for a particular disease.

If legislation is necessary to implement such a scheme, then we would urge government to bring that legislation forward as quickly as possible."

Cayton said: "There is pressure [for this legislation] from the R&D people at the Department of Health and I understand this is an enthusiasm of the prime minister ...

The crackdown on teen drivers announced yesterday by the Ontario government has two elements.

The first is what it does â¬" which is widely supported.

The second is how it came to be â¬" which is a little unsettling.

There is a sense that Premier Dalton McGuinty's government has acted with an alacrity over the deaths of three affluent white young people that's lacking when, say, the bodies are poor or black and similarly victims of their own bad choices or contempt for laws.

There is also at least the appearance that the premier's ear and personal attention are more accessible to those with the wherewithal to mount personalized advertising campaigns than they are to those without.

In July, three young Toronto men were killed when, after an after-noon of drinking at a lakeside club, their speeding sports car crashed through a guardrail into a river in Muskoka.

A female friend, who kicked free of the submerged car, was the only survivor.

Soon afterward, the father of the 20-year-old driver began a campaign â¬" full-page newspaper ads addressed in large type to the premier â¬" for tougher restrictions on young drivers.

This despite the fact that laws banning the conduct engaged in that day already existed and that the father admitted to injudicious indulgence and insufficient supervision of a son with a history of acting as if those laws didn't apply to him.

Even so, there can be little doubt that the ads â¬" "Dear Mr. McGuinty, My Son is Dead" â¬" got the premier's personal attention.

There was a meeting between the two men in September.

There was a personal phone call from the premier last week to inform the father the legislation introduced yesterday was coming.

McGuinty has sons not much older than the victims.

It was obvious he could easily put himself in the father's shoes.

"It was a very compelling story," he told reporters yesterday.

Not only that, the premier said that if certain obvious discriminations in the legislation â¬" some likely to draw human rights or constitutional complaints â¬" had to be perpetrated against young drivers to keep them safe, so be it.

November 17, 2008

"Sadly, 2008 has undoubtedly been the year of data breaches and data losses" said Information Commissioner Richard Thomas at a speech to the RSA Conference Europe about data breaches.

There have been 28 breaches by central government; 75 within the NHS and other health bodies; with 80 reported in the private sector.

I recognise that some breaches are being discovered because of improved checks and audits as a welcome result of taking data security more seriously.

Much more worrying is where -- in an age of ever increasing cyber-crime, illegal access and identity theft -- organisations are not even aware that personal information which they hold has been stolen, obtained by fraud or otherwise fallen into the wrong hands.

Worse still, there are still organisations which are not aware of the risks that they face with any collection of data and have not taken adequate steps to deal with those risks.

Worst of all, are those organisations who have simply failed to understand just how much personal information they are accumulating through more and more and ever-cheaper technology.

Used properly and intelligently, personal information leads to better customer service, improved efficiency, more effective law enforcement and protection of the vulnerable and a better quality of life for everyone.

But this means that respecting and protecting people's privacy and personal information -- data protection -- has never been more important.

As government, public, private and third sectors harness new technology to collect vast amounts of personal information, the risks of information being abused increases.

The more you centralise data collection, the greater the risk of multiple records going missing or wrong decisions about real people being made.

It is therefore alarming that -- despite high profile data losses, the threat of enforcement action, a plethora of reports on data handling and clear ICO guidance -- the flow of data breaches and sloppy information handling continues.

Of course it is important to recognise that incidents vary from regrettable one-off and probably unavoidable accidents to wholesale and systematic failure to take information security seriously.

There must be a wake-up call each time there are headlines about unencrypted laptops which have gone missing, health or financial records found in the streets or memory sticks or hard drives which cannot be accounted for.

There must be complete clarity on who, inside each organisation, has responsibility for safeguarding each set of personal data.

We (and many others) have long argued that our powers, sanctions and resources -- fixed in another era -- are now wholly inadequate.

The notification fee for the largest organisations needs to be increased to give the ICO the resources we need to do our job properly.

As a matter of good practice, the ICO should be contacted immediately when any significant breach is discovered and, with the benefit of risk assessments applying to the particular situation, we can ensure that individuals who are affected are being told where that is necessary or genuinely useful.

But I do not favour placing a statutory duty on organisations to notify people directly whenever a breach occurs and I am doubtful that a satisfactory law could satisfactorily distinguish in advance between situations where notification is needed and those where it is not.

Health and life insurance companies have access to a powerful new tool for evaluating whether to cover individual consumers: a health "credit report" drawn from databases containing prescription drug records on more than 200 million Americans.

Collecting and analyzing personal health information in commercial databases is a fledgling industry, but one poised to take off as the nation enters the age of electronic medical records.

While lawmakers debate how best to oversee the shift to computerized records, some insurers have already begun testing systems that tap into not only prescription drug information, but also data about patients held by clinical and pathological laboratories.

The trend holds promise for improved health care and cost savings, but privacy and consumer advocates fear it is taking place largely outside the scrutiny of federal health regulators and lawmakers.

Ingenix, a Minnesota-based health information services company that had $1.3 billion in sales last year -- and Wisconsin-based rival Milliman -- say the drug profiles are an accurate, less expensive alternative to seeking physician records, which can take months and hundreds of dollars to obtain.

When an insurer makes an online query about an applicant, Ingenix or Milliman's servers scour the data and within minutes or less return reports to a central server at the company.

November 10, 2008

Express Scripts said it has received an anonymous letter containing the names of some 75 clients that includes dates of birth, Social Security numbers and their prescriptions.

"We are cooperating with the FBI and are committed to doing what we can to protect our members' personal information and to track down the person or persons responsible for this criminal act," George Paz, the company's president, said in a statement.